If we go through this document we can see that the communication between terraform and apis takes place in two levels,
Firstly an RPC communication between core and provider, which is by default secured by TLS 1.2
Secondly between client library and the target api.
How can we make sure this communication b/w client library and apis is secure and encrypted.
That depends on the provider and whatever configuration you use. For example the AWS provider uses HTTPS API endpoints. Other providers might allow plain HTTP endpoints (for example the Vault provider can work with both HTTP & HTTPS).
So this is what I understand correct me if I am wrong:
Lets say I am using 10 different providers, for each of them I have to check if the provider is having enforced TLS through the terraform documentation of them for example in Vault provider we have [skip_tls_verify] such options are specific to all modules and I have to just make sure that these are set to false or true according to documentation mentioned.
Also how do I check which TLS version has been used? Like is it 1.2 or older
That is correct. Any provider configuration only affects that specific provider.
Regarding things like TLS versions supported/required that again is down to the individual provider. Some providers might give you the ability to configure such settings, but in general you need to read the documentation (which might include the CHANGELOG file for some details) for each provider to understand how TLS works.
You can use things like provider version constraints to ensure you are using the correct version. There are also tools like Checkov which could be used within your build/deployment pipelines to enforce certain approved sets of configuration values.
Thanks for clearing it out.
Also it is correct right that terraform core and plugins communicate securely using TLS 1.2?
No public API should ever be exposed without TLS, and no public service provider would ever have this option, so it’s not even possible for Terraform to connect without TLS in most cases. Unless you yourself are explicitly configuring a service for bare http, it’s not something to be concerned about.
Providers are executed locally via grpc, so outside of testing there is no way to create an insecure connection.
Well it depends on the provider you are using. For example it is completely possible to use HTTP connectivity with the VMware, Vault or Elasticsearch provider (even though it would be good practice not to do so).
yeah, I was trying to stress “public” there, there are many services you can configure however you want internally; but if you’ve configured it to connect via http, then you know it’s connecting via http.
Where can I read more about this grpc communication, the security protocols being used, any links to refer?